Meraki integration with External Captive portal

Alexs20
Getting noticed

Meraki integration with External Captive portal

Hi,

I am looking for help with integrating our external captive portal with Meraki Cloud controller.
Of course, I did some search before to see if anyone already asked for the same question and found lot of responses, but all of them are referring to “Sign-on Splash” solution which I think is not quire suitable for our case.

So, here is my scenario that I need to achieve.

Guest’s Flow

  1. Guest connects to AP.
  2. Meraki sends RADIUS access request message to OUR FreeRADIUS server.
    1. If authenticated, then Meraki grants access to the network with Session Bandwidth, Session Duration and Session Idle Timeout parameters provided in RADIUS response and end of the flow.
    2. Otherwise see next steps.
  3. AP redirects the client to splash server.
  4. Splash page displays content and includes additional parameters in the URL. Required dynamic parameters to be injected by Meraki are MAC and VLAN.
  5. Guest interacts with the site.
  6. Form submission sends data to OUR backend.
  7. OUR backend talks to Meraki via Northbound Interface and authenticates the user using MAC address (additional parameters also possible)
  8. Meraki sends RADIUS access request message to OUR FreeRADIUS server to confirm the authentication .
    1. If authenticated, then Meraki grants access to the network with Session Bandwidth, Session Duration and Session Idle Timeout parameters provided in RADIUS response and end of the flow.
    2. Otherwise, user stays on Login page.
  9. Once authenticated, Meraki may cache Guest’s authentication status and not to interact with FreeRADIUS on Guest’s disconnect-connect cycles. But if Guest tries to access previously not authenticated VLAN then the flow should start from step 1.
  10. Meraki should send accounting data to OUR FreeRADIUS server.

Administrator’s capabilities (from our backend side)

  1. Administrator can query Guest’s status by MAC and VLAN by sending request to Northbound interface.
  2. Administrator can remove Guest from the network by MAC and VLAN by sending request to Northbound interface.

 

Thanks in advance for any help.

14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, the splash page is the only option that you have.

Look at this article.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_a_Custom-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed


But this option has many inconsistencies with our scenario.
Like redirect URL has only MAC and no VLAN, authentication performed by POSTing request to Meraki and requires User/password of the Guest, while we want to talk to our backend and then iteract with Meraki via NB interface…

I cannot believe that Ruckus has all these capabilities, Aruba has them as well, but Meraki not?

alemabrahao
Kind of a big deal
Kind of a big deal

First of all this is not a vendor feature, dynamic VLAN is something sent by Radius Server via Radius attribute. See the last link for attributes supported for Slapsh Page with Radius authentication.

 

 
 
 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

There is an example.

 

FreeRadius Integration with OpenLDAP and Dynamic Vlan Assignment with Meraki (CentOS v7)

 

https://community.meraki.com/t5/Wireless-LAN/FreeRadius-Integration-with-OpenLDAP-and-Dynamic-Vlan-A...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

One more thing, for Spalsh page with custom radius the Meraki cloud must be able to communicate with your RADIUS servers via the Internet.

 

alemabrahao_0-1691781106087.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

Oh, that's not a problem. We already do such integration with other vendors and they are talking to us via internet.

alemabrahao
Kind of a big deal
Kind of a big deal

I just noticed that the Radius Override is only possible using 802.1x (WPA2 enterprise)

 

alemabrahao_0-1691781464280.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

Theoretically we do not need to override VLAN. We just need to assign VLAN to SSID during the configuration process, and then simply receive that info during the authentication...
I presume we can encode that info in NAS-identifier filed and parse it on our RADIUS side. it should be fine.
The only issue, is that we need to receive the VLAN info also in Login Page (and then pass it to out backend), but i presume i can include it as well as part of the base URL, so each SSID will have a unique Captive portal URL (i hope we can do it per SSID)

The only problem that I see so far is how our backend can talk back to Merak to let it know that user completed the authentication process on our side and ask Meraki to talk to our RADIUS server again to re-authenticate the user without posting any data to Meraki from Login page

I see some info about "splashAuthorizationStatus" API. is this something that i can use to do that?

alemabrahao
Kind of a big deal
Kind of a big deal

Sorry buddy, I'm not a developer so I don't have that information.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

oh, np, all good, I probably need to get the real device and play with the config to see what I can and cannot do.
but anyways, thanks 🙂

Alexs20
Getting noticed

But if I understand correctly the "RADIUS Authentication with a Sign-On Splash Page" option cannot use external Login page? Am I right?

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, you can.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Alexs20
Getting noticed

Oh, then that's good. Unfortunately I do not have access to Meraki HW right now and cannot experiment with it, this is just my initial research regarding how we are going to connect it (if we can),
and in docs I do not see examples of how to configure external login page in "RADIUS Authentication with a Sign-On Splash Page" mode and how to talk back to Meraki to force the re-authentication process after user post the data to our backend, so this is why I am asking silly questions...

alemabrahao
Kind of a big deal
Kind of a big deal

And also check this one.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Configuring_RADIUS_Au...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels